1. Field of the Invention
The present invention relates to authentication and access management, in general, which combines processes, technologies and policies to manage digital identities and specify how they are used to access resources. More specifically, the methods and apparatus are related to authentication into Internet hosted environments via remote login. They involve an enterprise, i.e. the owner of the hosted site (or operations center), an enterprise's customers' mission-critical web applications or services hosted into the site, and partner companies working with the enterprise in the hosted environment delivering services to the customers. The customers may have end users logging into the site along with the customer, partner and enterprise's employees.
2. Relevant Background of the Invention
Authentication is any process by which the identity of someone is claiming that identity is verified. This usually involves a username and a password. However, it can also include any other method of demonstrating identity, such as a smart card, a retinal scan, voice recognition, or fingerprints. Authentication is equivalent to showing a drivers license at the ticket counter at the airport. Authorization is finding out if the person, once identified, is permitted to use a particular resource. This is usually determined by finding out if that person is a part of a previously established group with predefined characteristics, or has a particular level in the predefined set of security privileges. Finally, access control is a much more general way of defining the controlled access to a resource. Access can be granted or denied based on a wide variety of criteria such as the network address of the client, the time of day, the browser which the visitor is using, and the like. Access control is controlling a user's reach to a desired resource by some arbitrary condition which may or may not have anything to do with the attributes of that particular user.
Because these three techniques are so closely related, generally, in most real applications, it is difficult to analyze them separately from one another. In particular, in most of the real-world implementations, authentication and authorization are inextricably linked.
Basic authentication, which involves sending client-browser-stored passwords to a server over the Internet, and digest authentication, which implies sending digests of the passwords (such as MD5) to a server over the public wire, both suffer from the same major flaw. The password or its digest traversal may happen over an SSL (Secure Socket Layer) protocol. There are also temporary passwords sent for initial login (usually by email) “in the clear” or over unsecured networks. Encrypted or not, smart hackers can figure out how to use the password and/or the alongside content information traveling over the Internet. Secondly, text files are used to store authentication information. The problem with this technique is the burden of looking something up in a text file that has no index. Every user request needs to go through this time-costly operation. Since HTTP is stateless, authentication has to be verified every time that content is requested. This can be prohibitively slow, particularly for large numbers of users. In many cases, a valid username/password is rejected because the authentication module just had to spend so much time looking for the username in the file that the server timed out and returned a failed authentication. So, typically, an alternative is to use some variety of databases which are optimized for looking for a particular piece of information in a very large data set. The database builds indices in order to rapidly locate a particular record, and has query languages for swiftly locating records that match a particular criteria. There are numerous modules available for servers to authenticate using a variety of different databases. On a large scale, in the United States, there is for example, National Science Foundation's (NSF) “Participants for Advanced Computational Infrastructure”, or PACI.
The focus of the present invention, however, is on small to medium sized, cost-effective Internet hosted shared environments; the types used by Application Service Providers (ASPs) where employees, customers and partners work together to provide and access business services based on Internet-based applications.
The economies of scale have driven computing platform vendors to develop products with very generalized capabilities. As a result, these products can be utilized in a wide variety of ways to accomplish a given set of business goals. These products possess varying ranges of privileges to operate on the resources in a given environment making the environment complex in terms of security and privacy. Secondly, most authentication mechanisms end up being cumbersome in the process of designing them to be highly secure. Some have easy-to-use but weak authentication and some employ overly complicated multiple login steps or packaged solutions that may have customization and administrative overhead. When employees as well as business partners and/or customers of an enterprise share a common business system for use, it becomes necessary to develop an overall authentication mechanism that is not only secure to protect the interests of the business entities, but also very friendly and easy to use and maintain. In addition, role-based access control helps to define authorization using people's roles and their functional characteristics in the operational environment of the hosted site. Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means by which the ability is explicitly enabled or restricted in some way (usually through physical and system-based controls). Computer-based access controls can prescribe not only who or what process may have access to a specific system resource, but also the type of access that is permitted. These controls may be implemented in the computer system, in external devices or software artifacts.
As shown below in FIG. 1, the context and background of the present invention includes primarily five types of inter-networked environments on the Internet: an Enterprise's corporate intranet—“Network1” 102; a Web Service provider network for customer's application hosting in the Customer Application Operations Center (“CAOC”) by the enterprise—“Network2” 104; an Enterprise's (Business) Partner Network—“Network3” 106; an Enterprise's Customer Network—not explicitly shown in FIG. 1; and the Internet 108. All communication from Network 102 and Network 106 to Network 104 is via SSL over the Internet 108. There are also remote enterprise, partner and customer users, along with CAOC administrators communicating with the CAOC over the Internet 108.
The customer's web service or application resides at the enterprise's CAOC site. The primary components of the system are the web application, the application server which hosts the application and web server on the same or a different host as the application's host, the database server (where the passwords are stored) and two supporting application servers for data and system management and administration.
Enterprise employees, customers and partners as users of the web application log into the application over Secure Socket Layer (SSL) protocol (using browsers supporting SSL 3.0 or higher) from an enterprise's, partner's or customer's corporate network, or from the Internet. The user's IDs and passwords traverse the networks in encrypted form. The users of the service are the customers and their end users who subscribe to the application, but note that overall users includes employees of all tenant companies, partners and customers, as well as those of the enterprise. Administrators of the hosted site are either the enterprise or the partner employees, and follow the rules for employees and partners respectively. The partner users login from within their network, Network3, or from the Internet, as shown above. Similarly, customers login from their corporate networks or from the Internet.
While there are role-based access control mechanisms on the Internet, they do not provide multi-tenant, highly secure methods for a hosting environment that combine business unit information into the role definition, making the role unique across all tenants and useful for flexible role building and authorization policy deployment. What is desired is that the role can be realistic while being unique. Therefore, it can be basic but also flexible and combinatorial, and is able to be the foundation for authorization and re-authorization during the process of resuming a session. In addition, it should be able to be represented in a standardized language for hosting site policy enforcement and usage without injecting complexity into the process of development and maintenance.